Where are they getting my email addresses from?

[superFoolish]

Over the past two weeks, I have started to receive far more spam than usual. That is not a concern in itself, but what is concerning me, is where they are getting the email addresses from. Most of the email addresses that they are spamming are of the format uniquename@myprivatedomain.co.uk.

Points of note:

1) The use .co.uk is relevant - I haven't used any of those email addresses for at least 5 years, and often more than 8 years.
2) The unique name part would be something like websitename@, creditcardco@
3) Most of the emails have been spoofed to appear to be sent from the email address to which they were sent (and are of the porn blackmail variety).
4) I have also received spam that has been spoofed from a very old (unused) contact's email address.

To be clear, I have no concern about the content of the emails; I know they are confidence scams, and I am not going to be sending anyone any money!

Normally, I would not be too concerned about spam because, in the past, the email addresses that have been spoofed are known-to-be-hacked sites or generic email addresses (such as accounts@, support@, etc). However, I have been receiving spam for email addresses such as:

capitalone@myprivatedomain.co.uk

I can guarantee that the only place that email address would be stored is on my gmail account and Capital One web site unless Capital One shared my email address with another organisation, which is possible, but, I have checked all emails I have ever received at that email address; the last email I received was from Capital One in 2005, and I have not received any other emails using that email address from any other organisation. Maybe Capital One passed my email address to an organisation who never emailed me, but has since been hacked (e.g. third-party marketing company)?

Referring to point 4 above, I received an email that appears to be spoofed from a contact (last real communication 10 years ago) to me@ mypersonal.co.uk email address (that I haven't used for at least 5 years). I would deduce that my old contact (from a University course) must have been hacked, because that's the only way that they would have both his and my email addresses together. I thought perhaps the University (or someone else in a previous email CC) could have been hacked, but that is highly unlikely, because how would the spammer have linked just me and my contact (and no one else) in the same email (it's possible, but unlikely)?

I think it is most likely that I have not had my gmail account or PC hacked because:

a) The spam email content is generic. If they had hacked my gmail / PC, they could personalise the email to make it more convincing
b) Without exception, all the email addresses have not been used by me for 5 years or more. It would be unlikely that someone would hack my gmail account / PC and only harvested old email addresses
c) I haven't detected any other nefarious activity.
d) I have 2FA on my gmail account and receive notifications if anyone logs in from another device or location.

I am guessing that somewhere there has been an unused cache of email addresses, that someone has recently decided to start spamming, and that it may be a coincidence that my old contact has probably been hacked (or a service that he used to communicate with me, has been hacked).

As already mentioned, I have 2FA enabled on gmail, and I have also changed my gmail password.

What should I do to check that my PC has not been compromised (Windows 10)? I don't think it has been, but I'd like to run some checks.

Thanks in advance.

[UncleEbenezer]

Pure speculation here (I use the same address scheme as you, and haven't seen spam on it).

Might it be that your email system has leaked information? If a probe tries a million guess@yourdomain addresses and a handful exist, what information will the probe have? If the mailserver has confirmed that guess4567 is a valid address, they've begun to build a list. Does your server respond to any lower-cost probe than trying to deliver email? Does it have any 'sticky' component to thwart rapid-fire from a probe? Worse still, if your server can be induced to leak a list without the need for guessing!

No, I don't think that's a *likely* explanation. But at least worth investigating.

[superFoolish]

Thanks for your response.

I have been using gmail mail Servers for 8 months. Prior to that, I had used 1&1 email servers for well over a decade. The spammed email addresses do not have mailboxes, so there’s nothing to ‘probe’ as I understand it. Other than a couple of genuine mailboxes, all the spammed email addresses fall under ‘catch-all’ mailboxes.

The chances of them being random email addresses is virtually zero. The vast majority of the spammed catch-all addresses are ones that I have used, with only a tiny proportion being speculative (e.g. accounts@, sales@).

One point of note that I did not mention, but has just occurred to me, is that my gmail address (myname@gmail.com) has never been compromised, nor have any of the derivatives that I have used (e.g. myname+website@gmail.com). I’ve been using those derivatives quite heavily over the last 12 months and, as previously mentioned, without exception, the spammed email addresses are ones that I haven’t used for over 5 years.

[swill453]

Any possibility that an old backup of yours in the cloud somewhere could have been accessed? Or an old, disposed-of hard disk hacked?

Scott.

[superFoolish]

Any possibility that an old backup of yours in the cloud somewhere could have been accessed? Or an old, disposed-of hard disk hacked?

My mail has been stored in gmail for over 7 years; no cloud backup before that.

I used to back up my gmail to a cloud company (for the last couple of years), but all my email was backed up, not just email over 5 years old, which is what is being spammed.

Hard disk was a good suggestion, but highly unlikely. I did leave some hard disks when I left the UK nearly 8 years ago, but they lived in a bucket of water, outside, for two months, and then I barbecued them before they went to the tip! My other old hard disks are in my garage (I forgot that I had them, but found them when I was getting rid of junk last week).

I'm wondering if the spam is just a resurgence of hacked email addresses (from web sites) that have been sitting on the web for a few years, and are being used by fairly amateur spammers. The content of the spam emails is totally generic.

I have checked a few of the email addresses against the haveibeenpwned.com database, and they don't show up, whereas a couple of more recent ones (such as the adobe web site hack) are on there. I'm not sure if knowing that that helps in any way!

[Slarti]

Over the past two weeks, I have started to receive far more spam than usual. That is not a concern in itself, but what is concerning me, is where they are getting the email addresses from. Most of the email addresses that they are spamming are of the format uniquename@myprivatedomain.co.uk.

Points of note:

1) The use .co.uk is relevant - I haven't used any of those email addresses for at least 5 years, and often more than 8 years.

//

What should I do to check that my PC has not been compromised (Windows 10)? I don't think it has been, but I'd like to run some checks.

Thanks in advance.

Have you checked at https://haveibeenpwned.com/ ?

If you find your email addresses on there, it will tell you where they were leaked from.

Slarti

[didds]

Another possibility...

Once by whosoever means the spoofer has determined that a domain exists (random strings? checking whois databases somehow etc) after that its just a case of trying <quasi-random string>@<domain name> .

It could be as simple as bruteforce attacks where they are "guessing" at domain names until they get a non bounce.

Its pretty trivial in reality

didds

[neversay]

Have you had that gmail account synced to your phone then (accidentally) given a phone app permission to access your contacts?

[superFoolish]

Have you checked at https://haveibeenpwned.com/ ?

If you find your email addresses on there, it will tell you where they were leaked from.

Slarti

Yes, I checked, and they are not on there, other a couple that I already knew about (e.g. Adobe hack from a few years ago)

[superFoolish]

Another possibility...

Once by whosoever means the spoofer has determined that a domain exists (random strings? checking whois databases somehow etc) after that its just a case of trying <quasi-random string>@<domain name> .

It could be as simple as bruteforce attacks where they are "guessing" at domain names until they get a non bounce.

Its pretty trivial in reality

Definitely not this; my catch-all address would have received every brute force guess. Apart from a few generic ‘guesses’ (e.g. accounts@, info@, etc) that have been spammed for years, the spammed addresses are definitely email addresses that I have used.

[superFoolish]

Have you had that gmail account synced to your phone then (accidentally) given a phone app permission to access your contacts?

I don’t have those email accounts as contacts because they are managed by a catch-all email address. I have never sent email from the addresses, and they are only in emails that I have received, and which are at least over 5 years old.

To have obtained the email addresses from me, they could only obtain them by scanning my received emails.

Not one of the catch-all email addresses that I have used in the last 5 years, appear in the spam emails.

If an app had access to my emails, I think it is unlikely that they would specifically harvest addresses from emails that were received by me 5 years ago. Furthermore, I have used dozens (perhaps 100 or more) catch-all addresses and only, perhaps, a dozen at most are receiving spam.

I am pretty-much certain that they are from an external source (i.e. not my gmail), but I can’t understand how the capitalone@ email address was harvested; I can’t find any evidence that Capital One has ever been ‘pwned’.